This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
Access control isn't just about keeping bad guys out—it's about controlling who gets into the infrastructure and limiting where they can go. Mapping access needs is a crucial phase of an IAM project, since this is when secu-rity managers need to determine which users and devices will have access to specific applications and data and from which locations (intranet, mobile computers, kiosks).
During this phase, the IAM development team needs to catalog all systems and applications; each system should be rated in terms of how critical it is to the business and assigned a value.
It's important to note the process for user provisioning, management and monitoring, and, in terms of the technical information, to note whether each system has open or proprietary application interfaces and IAM infrastructure, the type of operating system, and whether the application is in a steady-state of operation or due for a near- term upgrade.
Enterprises also need to assign a level of sensitivity to data as it is being created, amended, enhanced, stored and transmitted. Data classification can be an arduous and time-consuming task, and many companies simply ignore it. At the very least, security managers should classify obvious confidential and regulated data, and assign it a level of minimum protection.
Many enterprises make the mistake of using existing access rules and accounts as baselines for new systems.
Security mangers should use the opportunity of a new IAM infrastructure to recast all access rights. Rather than focusing on the "who," best practices dictate that companies should focus on "what" (what asset?) and "why" (does this person need access to this system/data?). Building role-based access provisioning in this way will help bolster security and ease the compliance auditing both during and after the process.
With an inventory of assets, data and access roles, security managers can define rules for authentication and authorization by selecting a security model that helps meet enterprise objectives without impeding business operations. In terms of authorization, security managers can now help map existing roles and groups to the assets they truly need and secure critical systems enterprise-wide with "need to know" security.
Enterprises also need to create standard processes for account creation, change management and deletion by documenting the current workflow, approval and provisioning process, looking for inefficiencies and opportunities for automation. Once designed, the model process can be complemented with auditing, automation and provisioning tools from vendors like BMC Software, Computer Associates, Courion, Consul, IBM Tivoli, Novell and RSA Security. Given the complexities of this phase, companies often cut corners—and run into security and compliance problems down the line. CISOs must step in to make sure that this doesn't happen; successful access mapping will lead to perpetual security and operations benefits.
Striving for Scalability
Identity and access management spans the entire enterprise; in building an IAM solution, enterprises must define an appropriate architecture that allows them to start small, grow gracefully and, most important, avoid all-encompassing solutions that demand million-dollar investments and multiyear implementations.
To maximize benefits while avoiding technical lock-in, IAM services should feature a layered architecture based upon standard protocols (i.e., RADIUS, LDAP, X.509), data formats and APIs. There are three basic layers in the IAM services architecture:
- Identity Objects (i.e. user, device, file, application, etc.) sit at the bottom of the stack. They define anything with an identity that needs to be mapped to access policies and monitored for compliance. Identity objects vary based on company size, global locations and government regulations.
- Identity Services provide middleware like messaging, directory, replication and data services that link identity objects to IAM applications. Identity objects will take direct advantage of the identity services, while legacy objects with their own IAM infrastructure will rely on specific gateway and data translation (i.e., metadirectory, XML translation, etc.) functionality.
- Application Layer provides business, security and operations functionality through the identity services layer. Identity and access management applications will plug into the identity services layer through a handful of standard interfaces from leading software vendors and IAM infrastructure providers (i.e., Java, ASP/.NET, C++, etc.). As other standards evolve (such as authentication protocols like RSA Security's OTPS or VeriSign's OATH), enterprises will be able to integrate best-of-breed IAM technologies into existing architectures.
Security managers may be in unfamiliar territory during this phase as they tend to think in terms of "best-of-breed" products rather than architectural solutions. They need to focus on protecting corporate operations, long-term scalability and business needs by designing an identity management architecture, and then filling in tactical needs with standards-based tools that have an eye toward future integration.
This was first published in June 2005